Skip to content

Instantly share code, notes, and snippets.

@momenbasel

momenbasel/rce.phtml

Created September 23, 2020 15:48
Show Gist options
  • Save momenbasel/ccb91523f86714edb96c871d4cf1d05c to your computer and use it in GitHub Desktop.
Save momenbasel/ccb91523f86714edb96c871d4cf1d05c to your computer and use it in GitHub Desktop.
Download ZIP
cs cart authenticated RCE
Raw
rce.phtml
get PHP shells from http://pentestmonkey.net/tools/web-shells/php-reverse-shell
edit IP && PORT
Upload to file manager
change the extension from .php to .phtml
visit http://[victim]/skins/shell.phtml --> Profit. ...!
@F-Masood
Copy link

F-Masood commented Jan 26, 2021
edited
Loading

The above explanation is lacking some information, so here is a better explanation:

  1. Visit "cs-cart" /admin.php and login (Remember: You need to login on ADMIN section not on the regular USER section).
  2. Under Look and Feel section click on "template editor".
  3. And under that section, upload your malicious .php file, make sure you rename it to .phtml before you upload.
  4. If successful, you should be able to get a RCE.
  5. For example, grab this file -> https://raw.githubusercontent.com/F-Masood/php-backdoors/main/whoami.php and rename it to whoami.phtml
  6. Now, visit http://[victim]/skins/whoami.phtml
  7. And you should see 'www-data' or 'apache' etc as the output.

@simongasparato
Copy link

The above explanation is lacking some information, so here is a better explanation:

  1. Visit "cs-cart" /admin.php and login (Remember: You need to login on ADMIN section not on the regular USER section).
  2. Under Look and Feel section click on "template editor".
  3. And under that section, upload your malicious .php file, make sure you rename it to .phtml before you upload.
  4. If successful, you should be able to get a RCE.
  5. For example, grab this file -> https://raw.githubusercontent.com/F-Masood/php-backdoors/main/whoami.php and rename it to whoami.phtml
  6. Now, visit http://[victim]/skins/whoami.phtml
  7. And you should see 'www-data' or 'apache' etc as the output.

You sir, are a legend. Thanks

@F-Masood
Copy link

The above explanation is lacking some information, so here is a better explanation:

  1. Visit "cs-cart" /admin.php and login (Remember: You need to login on ADMIN section not on the regular USER section).
  2. Under Look and Feel section click on "template editor".
  3. And under that section, upload your malicious .php file, make sure you rename it to .phtml before you upload.
  4. If successful, you should be able to get a RCE.
  5. For example, grab this file -> https://raw.githubusercontent.com/F-Masood/php-backdoors/main/whoami.php and rename it to whoami.phtml
  6. Now, visit http://[victim]/skins/whoami.phtml
  7. And you should see 'www-data' or 'apache' etc as the output.

You sir, are a legend. Thanks

̿̿ ̿̿ ̿̿ ̿'̿'\̵͇̿̿\з= ( ▀ ͜͞ʖ▀) =ε/̵͇̿̿/’̿’̿ ̿ ̿̿ ̿̿ ̿̿

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment